Allstate.com’s poor judgement on email policy

I have insurance through Allstate. A month ago I used their website to look at my account information and they had to snail mail me a PAK (Personal Authorization Key) for security purposes. Thats fine.

I get the PAK but due to holidays, etc I don’t use it. Yesterday I get an email from Allstate reminding me that they had sent me my PAK, and in the email were two links, both ending in the domain “rsc01.net”

Ok, this is fishy I thought. So I used their website (going there manually) to complain about this.

Lastly, I get an email followup whose links go to rsc01.net, and you can be damned sure my phising plugin for the Mac caught this. Even the “Email us” link is to that domain, and not allstate.com.

Allstate.com’s response:

Please be advised we outsource our email – that is why your email is from rsc01. Allstate does not sell any sort of email address – rsc01 is a trusted source.

And my response:

John I understand this, but you are missing the point. Any customer would be a fool to use those links because the customer has no way to know it is a trusted source.

In this day and age of identity theft it is with sever lack of judgement that Allstate send out emails with some odd domain in the content. At the very least, there should be an allstate.com email address that the outsourcers access, or something.

Please reconsider this policy. It is in very poor judgement to train customers, especially the elderly, that it is ok to click a link from a unknown source.